Hashing a password with SHA256 on the client then bcrypt on the serverdoes SRP solve this problem though? Given the context that this will be a security application, users will be pushed towards choosing a longer passphrase which should resolve this problem. Another possibility is using their email address as a salt to get hash with greater entropy. Is SRP a better solution than these? I'm unfamiliar with it.

Hashing a password with SHA256 on the client then bcrypt on the serverHashing before sending is performed to give the user verifiable assurance that we do not know their password, and also to make it more difficult to gain access if a hacker accesses our servers and is able to monitor inbound traffic - they would need to know the PBKDF2 key which is generated from the original password, not the hash.